Port-based packet filter

ABSTRACT

A method, apparatus, and program product for reducing unwanted host wake-up messages. A host computer finds a port in use by a host application, selects program information based on the port in use by the application, and sends the program information to a port filter. The port filter receives a packet that contains a port identifier. The port-filter uses the program information to decide whether there is a host application associated with the port identifier and sends a wake-up message to the host computer only when there is an associated host application.

PRIORITY APPLICATION

This application is a continuation of U.S. application Ser. No.09/746,205, filed Dec. 22, 2000, which is incorporated herein byreference in its entirety.

FIELD

This invention relates generally to communication between computers in anetwork and more particularly to filtering network packets based on theassociated port.

COPYRIGHT NOTICE/PERMISSION

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure as it appears in the Patent and TrademarkOffice patent file or records, but otherwise reserves all copyrightrights whatsoever. The following notice applies to the software and dataas described below and in the drawings hereto: Copyright © Intel,Incorporated, 2000. All Rights Reserved.

BACKGROUND

Modern computers are often connected via networks, so that they cancommunicate with each other and share information. The Internet is anexample of one such network. Computers send information to each other onthe network via packets, which are collections of related data. In somenetworks, source computers routinely broadcast packets to all computersattached to the network, even though the intended destination is onlyone computer, or perhaps a subset of the computers. In other networks,the source and destination computers are not directly connected to eachother, so a packet might need to travel through multiple computersbefore reaching its final destination. In both of these types ofnetworks, a computer can receive large numbers of packets for which itis not the intended destination.

Since it is inefficient for a networked computer to waste its time andenergy examining large numbers of packets for which it is not theintended destination, a networked computer typically offloads thisfunction to a network adapter, through which the computer (called thehost computer) attaches to the network. It is thus the job of thenetwork adapter to examine each received packet, determine its intendeddestination, and present the received packet to the adapter's hostcomputer only if the packet is intended for it. Otherwise, the networkadapter merely discards the packet or forwards it through the network.

In order to save electricity, the host computer typically enters apower-managed state when it is not receiving packets. During apower-managed state, the host computer uses less electricity by poweringdown or reducing electricity to selected computer components. When thenetwork adapter detects a packet for which the host computer is thefinal destination, the adapter sends the host a wake-up signal, whichcauses the host to return to its operational working state, so that thehost is capable of processing the received packet, and so that otherhosts on the network can access its resources, such as web pages, files,printers, applications or services.

Unfortunately, unauthorized persons or programs (often called hackers)will probe the network to find hosts that are running applications orservices that can be attacked. These hackers attempt to access the hostcomputer by sending packets that contain the destination address of thehost computer. Since the host network address matches the address in thepacket, the network adapter sends the host a wake-up signal causing itto wake up, even if there are no applications or services running thatcan respond to the received packet. This wastes the host's time andenergy and makes the host vulnerable to attack. Thus, there is a needfor a solution that will protect a computer in a network from attack byunauthorized users and allow it to stay in the power-managed state untilit receives a relevant packet.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts a pictorial example of a network of computers that can beused to implement an embodiment of the invention.

FIG. 2 depicts a block diagram of the principal components of thenetwork of computers illustrated in FIG. 1, according to an embodimentof the invention.

FIG. 3 depicts a flowchart that describes a method at a host computer,according to an embodiment of the invention.

FIG. 4 depicts a flowchart that describes a method at a port filter,according to an embodiment of the invention.

FIG. 5 depicts a flowchart that describes a method at a port filter,according to an embodiment of the invention.

DETAILED DESCRIPTION

In the following detailed description of exemplary embodiments of theinvention, reference is made to the accompanying drawings (where likenumbers represent like elements), which form a part hereof, and in whichis shown by way of illustration specific exemplary embodiments in whichthe invention may be practiced. These embodiments are described insufficient detail to enable those skilled in the art to practice theinvention, but other embodiments may be utilized and logical,mechanical, electrical, and other changes may be made without departingfrom the scope of the present invention. The following detaileddescription is, therefore, not to be taken in a limiting sense, and thescope of the present invention is defined only by the appended claims.

FIG. 1 depicts an example of a network of computers that can be used toimplement an embodiment of the invention. Host computer 110 is connectedto remote computer 188 via network adapter 150 and network 160.

Computer 110 includes processing unit 112, display device 114, andkeyboard 116. Processing unit 112 receives input data from input devicessuch as keyboard 116 and network adapter 150 and presents output data toa user via display device 114. Processing unit 112 also sends andreceives packets of information across network 160 to and from remotecomputer 188 via network adapter 150.

Keyboard 116 is that part of computer 110 that resembles a typewriterkeyboard and that enables a user to control particular aspects of thecomputer.

Video-display terminal 114 is the visual output of computer 110.Video-display terminal 114 can be a cathode-ray tube (CRT) based videodisplay well known in the art of computer hardware. But, with a portableor notebook-based computer, video display terminal 114 can be replacedwith a liquid crystal display (LCD) based or gas, plasma-based,flat-panel display.

To support storage and retrieval of data, processing unit 112 furtherincludes diskette drive 122, hard-disk drive 123, and tape drive 124,which are interconnected with other components of processing unit 112.Although diskette drive 122, hard-disk drive 123, and tape drive 124 areshown incorporated into system unit 112, in another embodiment, they canbe external to system unit 112, either connected directly, on a localarea network (LAN), on network 160, or attached to remote computer 188.

Diskette drive 122 and hard disk drive 123 are electro-mechanicaldevices that read from and write to magnetic disks, although anynon-volatile storage devices can be used, such as CD-ROM drives. Tapedrive 124 is an electro-mechanical device that reads from and writes totape media. The tape media is typically a long, flat piece of flexibleplastic influenced to hold information recorded in digital form.

In one embodiment, the hardware of computer 110 is implemented using anIBM-compatible personal computer available from a number of vendors.But, an embodiment of the present invention can apply to any hardwareconfiguration that allows filtering of packets, regardless of whetherthe computer is a complete, multi-user computer apparatus, a single-userworkstation, or a network appliance that does not have non-volatilestorage of its own. Computer 110 is thus a configuration that includesall functional components of a computer and its associated hardware. Ingeneral, a typical computer system includes a console or processing unitsuch a processing unit 112, with one or more disk drives, a monitor suchas video display terminal 114, and a keyboard such as keyboard 116,although one or more of these elements can be missing, and additionalelements can be added.

Network adapter 150 facilitates communication between computer 110 andnetwork 160, which might be a local area network (LAN), wide areanetwork (WAN), an intranet, or the Internet. The operation of networkadapter 150 is further described with reference to FIGS. 2, 4, and 5.

Remote computer 188 can be implemented using any suitable computer.Remote computer 188 sends and receives packets across network 160.Although only one remote computer is shown, in another embodiment anynumber of remote computers can be present.

FIG. 2 depicts a block diagram of the principal components of processingunit 112 of computer 110 and network adapter 150 attached via network160 to remote computer 188. Computer 110 contains memory 230 connectedvia bus 255 to processor 240, diskette drive 122, hard-disk drive 123,and tape drive 124. Although the various components of FIG. 2 are drawnas single entities, each may consist of multiple entities and may existat multiple levels.

Memory 230 comprises a number of individual, volatile-memory modulesthat store segments of operating system and application software whilepower is supplied to computer 110. The software segments are partitionedinto one or more virtual memory pages that each contains a uniformnumber of virtual memory addresses. When the execution of softwarerequires more pages of virtual memory than can be stored within memory230, pages that are not currently needed are swapped with the requiredpages, which are stored within non-volatile storage devices 122 or 123.Memory 230 is a type of memory designed such that the location of datastored in it is independent of the content. Also, any location in memory230 can be accessed directly without needing to start from thebeginning.

Memory 230 contains application 260, controller 262, and programinformation 264. Application 260 is an application or service incomputer 110 that is capable of being associated with a network portnumber. A port number identifies a logical connection to a process, suchas application 260, on computer 110 and enables packets of informationto be sent via network 160 to this process. Although one application 260is shown, in another embodiment multiple applications are present.Application 260 contains instructions capable of being executed byprocessor 240.

Controller 262 manages the connection of application 260 to network 160through network adapter 150 using program information 264. Controller262 contains instructions capable of being executed by processor 240. Inanother embodiment, controller 262 can be implemented by controlcircuitry though the use of logic gates, programmable logic devices, orother hardware components in lieu of a processor-based system. Theoperations of controller 262 are further described with reference toFIG. 3.

Referring again to FIG. 2, program information 264 is used by controller262 to program network adapter 150 to filter packets received fromnetwork 160. Upon receiving program information 264, network adapter 150will send to host computer 110 only the packets that meet the criteriaspecified in program information 264. In one embodiment, programinformation 264 contains instructions capable of being executed bynetwork adapter 150. In another embodiment, program 264 contains dataidentifying the port numbers of applications within computer 110.Program information 264 is further described with reference to FIGS. 3,4, and 5.

Processor 240 executes instructions and includes that portion of hostcomputer 110 that controls the operation of the entire computer system,including executing the arithmetical and logical functions contained ina particular computer program, such as application 260 and controller262, in one embodiment. Although not depicted in FIG. 2, processor 240typically includes a control unit that organizes data and programstorage in a computer memory and transfers data and other informationbetween the various part of the computer system. Processor 240 accessesdata and instructions from and stores data to memory 230.

Any appropriate processor can be utilized for processor 240. Althoughcomputer 110 is shown to contain only a single processor and a singlesystem bus, the present invention applies equally to computers that havemultiple processors and to computers that have multiple buses that eachperforms different functions in different ways.

Network adapter 150 facilitates communication between computer 110 andnetwork 160. Network 160 provides a user of computer 110 with a means ofelectronically communicating information, such as packets, with a remotecomputer or a network logical-storage device. In addition, in oneembodiment, network 160 supports distributed processing, which enablescomputer 110 to share a task with other computer systems linked to thenetwork.

Network adapter 150 contains networking device 272, pattern filter(s)274, and port filter(s) 276. Although network adapter 150 is shown asseparate from host computer 110, in another embodiment they are packagedtogether.

Networking device 272 sends and receives packets of information acrossnetwork 160. In one embodiment, networking device 272 is a cable modem,but in other embodiments, networking device 272 can be a DSL (DigitalSubscriber Line) modem, an ISDN (Integrated Services Digital Network)terminal adapter, an Ethernet interface device, or any other type ofLAN, WAN, or broadband device. In one embodiment, networking device 272supports communication between computer 110 and another computer systemover a standard telephone line. In another embodiment, networking device272 attaches to a dedicated cable. In another embodiment, throughnetworking device 272 computer 110 can access other sources such as aserver, an electronic bulletin board, and the Internet or World WideWeb.

Networking device 272 is capable of communicating across network 160using a TCP/IP (Transmission Control Protocol/Internet Protocol) orUDP/IP (User Datagram Protocol/Internet Protocol) connection, but inother embodiments, any suitable communications protocol can be used, forexample the ISO/OSI (International Organization for Standardization/OpenSystems Interconnection) model.

Pattern filter 274 interrogates the packets of information that arereceived by networking device 272 and forwards to port filter 276 onlythose packets containing data in selected fields that match dataassociated with computer 110. Examples of the selected fields are thenetwork address and the protocol identifier, but any appropriate fieldor fields can be used. All other packets are either discarded orforwarded on to their proper destination on network 160.

Port filter 276 is programmed by program information 264 to filterreceived packets based on port number and to present only those packetsto computer 110 that contain port numbers matching the port number ofapplication 260. Although two port filters are shown in FIG. 2, inanother embodiment any number can be present corresponding to the numberof applications executing on host computer 110 associated with a portnumber. In still another embodiment, only one port filter exists innetwork adapter 150, which handles all applications in host computer110.

In one embodiment, port filter 276 is implemented via an unillustratedprocessor and memory, and program information 264 is downloaded fromcomputer 110 into the port-filter memory and executed by the port-filterprocessor. In another embodiment, program information 264 contains dataabout the port numbers being used by applications 260, and this data isinterpreted by instructions executing on the processor of port filter276. In still another embodiment, port filter 276 is implemented bycontrol circuitry though the use of logic gates, programmable logicdevices, or other hardware components, and program information 264contains data that is used by the control circuitry. The operation ofport filter 276 is further described with reference to FIGS. 4 and 5.

Network 160 can include a plurality of networks, each of which caninclude a plurality of individual computers. In one embodiment, network160 and remote computer 188 are located a great geographic distance fromcomputer 110, but in another embodiment they can be in the same room oreven on the same desktop. Network adapter 150 can be connected tonetwork 160 via a standard telephone line, a dedicated cable, or awireless communications link.

The configuration depicted in FIG. 1 is but one possible implementationof the components depicted in FIG. 2. Portable computers, laptopcomputers, and network computers or Internet appliances are otherpossible configurations. The hardware depicted in FIG. 2 may vary forspecific applications. For example, other peripheral devices such asoptical-disk media, audio adapters, or chip programming devices, such asPAL or EPROM programming devices can be used in addition to or in placeof the hardware already depicted. Thus, an embodiment of the inventioncan apply to any hardware configuration that allows filtering ofpackets, regardless of whether the hardware configuration is acomplicated, multi-user computing apparatus, a single-user workstation,or a network appliance that does not have non-volatile storage of itsown.

As will be described in detail below, aspects of an embodiment pertainto specific method elements implementable on computers. In anotherembodiment, the invention can be implemented as a computer programproduct for use with a computer. The programs defining the functions ofthe embodiment can be delivered to computer 110 or network adapter 150via a variety of signal-bearing media, which include, but are notlimited to:

(1) information permanently stored on non-writeable storage media (e.g.,read-only memory devices within a computer such as CD-ROM disks)readable by an unillustrated CD-ROM drive;

(2) alterable information stored on writeable storage media (e.g.,floppy disks within diskette drive 122, tapes within tape drive 124, ordisks within hard-disk drive 123); or

(3) information conveyed by a communications media, such as through acomputer or telephone network including wireless communications.

Such signal-bearing media, when carrying computer-readable instructionsthat direct the functions of the present invention, representembodiments of the present invention.

FIG. 3 depicts a flowchart that describes a method at host computer 110,according to an embodiment of the invention. Control begins at block300. Control then continues to block 310 where controller 262 detectsthat application 260 has been started. Control then continues to block320 where controller 262 detects the port number associated withapplication 260. Control then continues to block 330 where controller262 selects the program information 264 based on the applicationdetected in block 310 and the port determined in block 320. In oneembodiment, program information 264 includes multiple port-filterprograms containing executable instructions and data, each tailored fora particular port. In another embodiment, there is only one port-filterprogram, which contains executable instructions and data regarding eachapplication 260 and its associated port number. In still anotherembodiment, program information 264 contains data regarding theapplications and port numbers, but program information 264 does notcontain executable instructions.

Control then continues to block 340 where controller 262 sends theprogram information selected at block 330 to port filter 276. Controlthen continues to block 350 where controller 262 causes computer 110 toenter a power-managed state when there are no received packets. During apower-managed state, computer 110 consumes a reduced amount of power.Control then continues to block 360 where controller 262 receives awake-up signal from network adapter 150 and in response changes computer110 from its power-managed state to its normal, operating state. Controlthen continues to block 399 where the function returns.

FIG. 4 depicts a flowchart that describes a method at port filter 276,according to an embodiment of the invention. Control begins at block400. Control then continues to block 410 where port filter 276 receivesprogram information 264 from host computer 110. Control then continuesto block 420 where, in one embodiment, port filter 276 initializes itsfunctions with the data of program information 264. In anotherembodiment, port filter 276 loads the executable instructions of programinformation 264. Control then continues to block 499 where the functionreturns.

FIG. 5 depicts a flowchart that describes a method at port filter 276,according to an embodiment of the invention. Control begins at block500. Control then continues to block 510 where port filter 276 receivesa directed packet from remote computer 188 via network 160, networkingdevice 272, and pattern filter 274. Control then continues to block 520where port filter 276 determines whether the port number in the receivedpacket matches the port number assigned to an application executing onhost computer 110. Port filter 276 carries out this determination usingprogram information 264, which was previously loaded as described withreference to FIG. 4. Referring again to FIG. 5, if the determination atblock 520 is false, then control continues to block 530 where portfilter 276 discards the received packet. Control then returns to block510, as previously described above.

If the determination at block 520 is true, then control continues toblock 540 where port filter 276 sends a wake-up message to host computer110. Control then continues to block 599 where the function returns.

1. A method, comprising: receiving a packet at a port filter, whereinthe packet comprises a port identifier; determining whether there is ahost application associated with the port identifier; and when there isnot a host application associated with the port identifier, discardingthe packet.